Surveillance technology sold to governments by the firm NSO Group has repeatedly been used to target the phones of journalists, activists, politicians, and diplomats. The software, called Pegasus, allows attackers full access to the phone’s camera, microphone, call logs, emails, text messages and more – the security of which are critical for people who uncover government abuses. Human Rights Watch recently learned that the iPhone of Lama Fakih, who oversees our work in conflict zones and other emergencies, was compromised with Pegasus. Human Rights Watch’s Fred Abrahams interviews Fakih about how she learned of the attacks, why she decided to go public, and why it’s essential that governments regulate the flourishing spyware industry.
Please tell us briefly about your job at HRW - what do you do?
I started working with Human Rights Watch in Beirut after the start of the Arab Spring in 2011 as the Syria and Lebanon researcher. Since then, I’ve held several positions in the organization, and have also worked at Amnesty International. Currently, I am the director of Human Rights Watch’s Crisis and Conflict Division and I head up our Lebanon office. The work I oversee takes place in countries as far ranging as Syria, Myanmar, Israel/Palestine, Kazakhstan, Ethiopia, the United States, Lebanon, and Afghanistan. Part of our work is also on how surveillance technologies have been deployed in illegal, rights-abusing ways.
When did you learn about the spyware intrusion on your phone?
Apple notified me that I was the subject of a state-sponsored attack on my iPhone on November 23 and again on November 24, 2021. I received an iMessage to my Lebanese phone number and an email notification from Apple warning me that they believed I was being targeted by state-sponsored attackers, who, they said, were likely targeting me because of who I am or what I do. I immediately contacted Human Rights Watch’s information security director, and we began the process of confirming that the attack had occurred.
Apple sued NSO Group in November 2021 to stop the use of its surveillance software on Apple devices. The company, which is based in Israel, says it only sells the spyware to governments to stop criminals and terrorists, and does not pursue a contractual agreement with a potential client where the human rights risks are “unduly high”. But the attacks against me and countless other activists and journalists are proof that that isn’t true.
What was your first reaction?
The news was overwhelming. I felt dread and disbelief. You have a million thoughts going through your head. Why would I be targeted in this way and how? What government did this? What does this mean for my security and for the security of everyone whose data may have been compromised as a result of the attack? What did they have access to and what has been compromised? How can I stop this from happening again? I am still asking myself a lot of these questions and, most probably, I will never have the answers. We may never know who attacked my phone and why.
How did you verify that the attack happened?
The day I received the notification from Apple, our information security director confirmed that the notification was authentic. The next day, after an initial analysis of my iPhone’s logs, she confirmed that a government attack using Pegasus software had taken place. That was the first step in a series of technical analyses we then did to understand more about the attack.
What steps did you then take?
First, we ensured that all my devices and data were secure, and we checked the devices of Human Rights Watch colleagues who were working closely with me or who we believed might have been attacked for other reasons. We found no evidence of compromise on other staff devices.
After a full forensic analysis, we found that Pegasus was used to infect my current and old iPhone on at least five occasions between April and August 2021. We also asked Amnesty International’s Security Lab to peer review it. They agreed with the analysis.
The attacks were so-called “zero-click” attacks, which meant I didn’t do anything—like click on a link—for the attack to start. There is no way to prevent this type of attack. Once on your device, Pegasus can harvest more or less any information or extract any file – text messages, contacts, photos, call history, calendar entries, emails, and internet browsing histories. Research shows that Pegasus covers its tracks by deleting processes or pretending to be a legitimate process of the phone’s operating system, making it impossible to know what data was compromised or whether the camera and microphone were used to spy on me.
Then, we sent a letter to NSO Group, the company that produces the Pegasus surveillance software, asking them to comment on the targeting of a Human Rights Watch staff member and whether they thought this was a legitimate use of their product. There have been numerous reports that Pegasus software has been used to infiltrate the devices of activists, journalists, politicians, and diplomats, but NSO Group has repeatedly denied these reports.
We also communicated with our local and international partners who have been working on this issue for a long time, such as Amnesty International, Access Now and Citizen Lab, and SMEX and SKeyes in Lebanon, who both work on digital rights.
After all this, we decided to make this state-sponsored attack public, in order to raise awareness of this risk to civil society partners and contacts more broadly. Speaking out about these attacks is critical to stopping the unchecked use of surveillance technology.
How did NSO Group respond to Human Rights Watch’s letter?
NSO Group responded to Human Rights Watch’s request for comment saying that it is “not aware of any active customer using [its] technology against a Human Rights Watch staff member” and that it would open an initial assessment into our allegation to determine if an investigation is warranted. The company said it takes “any allegation of the misuse of [its] system against a human rights defender most seriously,” and that such misuse would violate their policies and the terms of its contracts with customers. It referred Human Rights Watch to its Whistleblower Policy and Transparency Report, which outline how they respond to such allegations.
How does this attack impact your work?
Human Rights Watch knows that governments target and try to silence human rights defenders around the world. We have rigorous information security protocols to protect our staff and contacts and the confidentiality of our work.
In addition to taking these measures, now I also keep a barebones amount of information on my Lebanese phone. Even at the time of the attacks, I did not access Human Rights Watch email or our internal systems from the phone, which limited the data that was compromised. Apple has since patched the vulnerability that NSO Group exploited to attack me and others, and in November, the company filed a lawsuit against NSO Group for the attacks on its users.
All of these measures help to protect our data, which in turn facilitates my ability to do my work safely. But there will be other vulnerabilities, and NSO Group is just one company in the surveillance industry selling sophisticated surveillance technology to governments. In the absence of regulation that would limit the sale and use of spyware for abusive purposes, with zero-click attacks, I and other rights defenders and journalists—and anyone, really—remain vulnerable.
This doesn’t only impact our rights and security, but also that of anyone we communicate with or about. These attacks make our work harder and riskier. They have real-life consequences. People have been detained, tortured, and in some cases, even killed, after being attacked by Pegasus spyware or after someone they know has. While I don’t believe these illegal attacks on my phone resulted in harm to other people, that risk remains.
What’s it like, not knowing who attacked you and why?
It’s frustrating. NSO has said it only sells its products to governments, but which government was responsible for the attack?
At the time of the attacks, between April and July 2021, I was overseeing work related to a number of crises around the world. These included the hostilities between Israel and armed groups in Gaza that May as well as intensive work on an investigation into the devastating explosion at the Beirut port, which happened in August 2020, for which Lebanese government officials bear responsibility. But there’s no way to tell if the attacks were related to my work at that time.
In July, Forbidden Stories, a Paris-based nonprofit media organization, with the technical support of Amnesty International, revealed that they had obtained a leaked list of more than 50,000 phone numbers that have been reported as potential targets for surveillance by known NSO clients. My number was not on this list, but Daraj Media, an independent digital media platform based in Lebanon, reported that about 300 Lebanese phone numbers were, including numbers belonging to politicians, journalists, activists, and businessmen.
Forbidden Stories and their media partners identified potential NSO clients in 11 countries, including four in the Middle East and North Africa, where I am based and where I’ve focused much of my work over the past 10 years. These are Bahrain, Morocco, Saudi Arabia, and the United Arab Emirates. In April 2021, Axios reported that the Jordanian government was negotiating with NSO Group to buy surveillance technology. Human Rights Watch and others have also reported how Pegasus spyware has been used against Palestinian rights defenders based in the West Bank.
Were one of these other governments responsible for the attack? I still don’t know.
What does this mean for human rights?
It is well established that Pegasus spyware is being used to illegally or arbitrarily surveil activists and journalists in every region of the world, but we do not know how pervasive these attacks are. My fear is that what we know is just the tip of the iceberg.
Part of the reason I wanted to come forward publicly is because I occupy a privileged position. I hold a senior position in a prominent global human rights organization. I am a lawyer and graduated from a top US law school, and I am an American citizen. I think the attack against me says something about just how common this is, how powerless we are to stop these attacks under the current legal regime, and also about the profile of the people being targeted. Really, anyone could be attacked, anyone on my team, or at a partner organization or from the press. You could be attacked and you might never know.
It is hard to inventory, or quantify, just how harmful these attacks, and illegal surveillance more broadly, are from a human rights perspective. Yes, they violate our right to privacy, but the harms are much more nefarious and far reaching than that. In addition to stripping us of our privacy, these attacks undermine our freedom of expression and association. They undermine our ability to communicate freely, without fear of being listened in on. They threaten our personal security and that of the people we know. But this is just on the individual level. In the aggregate, these attacks threaten all of our rights.
It is no accident that governments are using spyware to target activists and journalists, the very people who uncover their abusive practices. They seem to believe that by doing so, they can consolidate power, muzzle dissent, and protect their manipulation of facts. This is the very dystopian reality that I and other rights defenders and journalists are fighting so hard to avoid.
Unchecked sales and use of surveillance technology make activists and journalists more vulnerable to government abuse and forced censorship. When those who speak out against rights-abusing governments are attacked, that makes us all more vulnerable to abuse.
What should be done about spyware?
Governments should suspend the trade in surveillance technology until rights-protecting regulatory frameworks are in place. Governments should also stop using surveillance technologies in ways that violate human rights.
Despite years of human rights organizations reporting on the abuse of commercial spyware and the need for stronger regulations, governments have effectively allowed companies like NSO Group to regulate themselves. This has allowed them to continue to sell their spyware to governments that are known rights abusers and who have proven records of using spyware to target journalists and human rights defenders.
Governments should be regulating this trade and holding companies accountable for their sales and actions.
*This interview has been edited and condensed.